Scoring and prioritizing security vulnerabilities

NetApp scores security vulnerabilities and prioritizes responses according to industry standards.

To standardize the description of each public vulnerability, NetApp® security advisories reference a CVE-ID. NetApp uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to determine vulnerability priority and notification strategy.

Our security advisories and notices include the NetApp-determined Base vulnerability score. We encourage customers using CVSS for vulnerability classification and management to compute their own Temporal and Environmental scores to take full advantage of the CVSS metrics.

Standard delivery methods for NetApp security information:

  • Security Advisory—significant security vulnerabilities that directly affect NetApp products and require an upgrade, patch, or direct customer action to remediate.
  • Security Bulletin—low- and medium-severity security issues that impact NetApp products.
  • Security Notices—may be used when a third party makes an unconfirmed public statement about a perceived NetApp product vulnerability, or NetApp products are unofficially implicated in security incidents.
  • Security Bug Reports—provides information about low-severity security vulnerabilities, available via Bugs Online (requires login).

Read more about CVE-IDs at the Mitre.org page.

For more information about CVSS, visit the FIRST.org/cvss web site.